Downloads

Data Sheet

Cisco Secure
PIX Firewall VPN
Accelerator Card

Overview

The VPN Accelerator Card (VAC) for the Cisco Secure PIX Firewall series provides high-performance, tunneling and encryption services suitable for site-to-site and remote access applications. This hardware-based VPN accelerator is optimized to handle the repetitive but voluminous mathematical functions required for IPsec. Offloading encryption functions to the card not only improves IPsec encryption processing, but also maintains high-end firewall performance. As an integral component of the Cisco virtual private network (VPN) solution, the VPN Accelerator Card provides platform scalability and security while working seamlessly with services necessary for successful VPN deploymentsencryption, tunneling, and firewall.

High Performance

The VPN Accelerator Card, which fits in a PCI slot inside the PIX chassis, encrypts data using the 56-bit Data Encryption Standard (DES) or 168-bit 3DES algorithms at speeds up to 100 Mbps. A PIX equipped with a VAC supports as many as 2,000 encrypted tunnels for concurrent sessions with mobile users or other sites. In addition to encryption, the card handles a variety of other IPsec-related taskshashing, key exchange, and storage of security associationswhich free the PIX main processor and memory to perform other perimeter security functions.

EncryptionDES and 3DES encryption are very CPU intensive, potentially impacting firewall performance in high-throughput configurations. The VAC makes it possible to send DES or 3DES encrypted data at high speed while still providing the full range of perimeter security services available from the Cisco Secure PIX Firewall.

AuthenticationRSA and Diffie-Hellman are CPU-intensive protocols that are used when a new IPsec tunnel is established. RSA authenticates the remote device while Diffie-Hellman exchanges keys that will be used for DES or 3DES encryption. The VPN Accelerator Card implements these protocols in specialized hardware ensuring fast tunnel setup and high overall encryption throughput.

TunnelingThe PIX and VAC support IPsec tunneling protocol enabling high-performance, flexible network designs for both remote access and site-to-site VPNs. Site-to-site solutions can be designed with PIX or combinations of PIX with Cisco VPN appliances or VPN-enabled multi-service routers. Remote access solutions can utilize Cisco's VPN client or other 3rdparty clients supporting the IPsec tunneling protocol.

Increased Security

The PIX VAC provides an extra level of security by segregating sensitive VPN information from standard system processing. Encryption, authentication, and key generation mechanisms are handled by onboard memory and processors. In addition, a hardware random number generator provides high quality input to crypto functions resulting in strong security while ensuring high throughput during process-intensive re-keying operations.

Easy Implementation

PIX Firewall automatically detects the presence of the VPN Accelerator Card and transfers encryption activities to the VAC without configuration changes. Throughput is enhanced through the use of specialized hardware to perform the complex mathematical transformations necessary to generate keys, authenticate devices, authenticate packets, and encrypt and decrypt data. The VPN Accelerator Card is fully compatible with network-layer IPsec and the Layer 3 encryption software services of the Cisco Secure PIX Firewall Software.